Everything you need to know about call history and the latest sensationalized Apple 'security' non-scandal.
Apple has been accused of secretly, surreptitiously backing up and syncing your iPhone call history, in a hidden, and implicitly nefarious way. Sadly, the only thing nefarious here are the motivations of the publications that chose to invent the story. When I asked Apple about the accusation, here's the statement they gave me.
"We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices," an Apple spokesperson told iMore. "Apple is deeply committed to safeguarding our customers' data. That's why we give our customers the ability to keep their data private. Device data is encrypted with a user's passcode, and access to iCloud data including backups requires the user's Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication."
I'm guessing that was after an epic double face palm, head desk, or both.
Wait, back up, what is this all about?
Forbes posted the following:
Apple has a hidden feature for you in its iPhones: call logs going back as far as four months are stored in near real-time in the iCloud. That's the warning today from a Russian provider of iPhone hacking tools, Elcomsoft, which claimed the feature was automatic and there was no way to turn it off bar shutting down iCloud Drive altogether.
Yowza! 'Hidden' feature, really?
The Information called it "secretly" and "surreptitiously", but it's not only wicked obvious why Apple is syncing call history, it's fully disclosed in Apple's security white paper:
Here's what iCloud backs up:
- Information about purchased music, movies, TV shows, apps, and books, but not the purchased content itself
- Photos and videos in Camera Roll
- Contacts, calendar events, reminders, and notes
- Device settings
- App data
- PDFs and books added to iBooks but not purchased
- Call history
- Home screen and app organization
- iMessage, text (SMS), and MMS messages
- HomeKit data
- HealthKit data
Update: Apple has just now updated their knowledge base (KB) article to match the white paper. It's still propagating, so look for the version dated November 17, 2016.
Why is it "wicked obvious"?
Because, when you restore an iPhone from backup, including a new iPhone that replaces your old one, or you enable continuity calling so you can make phone calls from your iPad or Mac, you see your call history.
If Apple wasn't backing up and syncing that information, you would lose it every time you restored your iPhone, and you'd have frustratingly different calling lists across your devices.
It's like setting up your email in Mail on multiple machines and then being told Apple is secretly backing up and syncing your inbox. Or using bookmark syncing in Safari and being told that Apple is surreptitiously saving your bookmarks and making them available across all of your devices.
But what about security and privacy?!
Security and privacy are continually at war with convenience. It's incredibly tough to balance both.
I make 50% of my calls off the call history list (the rest are with Siri), and maybe that makes me a terrible person, but it also makes it an indispensable service for me both to back up and to sync.
If call history sync concerns you, you can disable iCloud Drive in preferences and it'll stop. (It'd be nice if Apple made those all separate settings in iCloud.com, though others may argue it would result in settings fatigue.)
Is there anything Apple could do to make this more secure?
Always! Security is an uphill battle, especially when you're designing systems for mainstream consumers that need to be accessible and approachable. Storing call history in iCloud Drive may be workable but there may also be a better, more granular option as well.
iOS 9 brought 2-factor authentication and iOS 10 made it easier to use. I expect that pattern will continue and we'll keep getting better protection and easier management going forward.
For now, as always, be informed but don't be alarmed, at least not for web views or product placements.